This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.
Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.
Symptoms to help you determine if you are infected
- Account lockout policies are being tripped
- Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
- Errors related to SVCHOST
- Domain Controllers are slow to respond to client requests
- Network congestion
- Various security related websites are not accessible including Windows Update.
For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.
Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.
The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:
- Install patch KB958644 for MS08-067 if not installed
- Attempt to remove the “Conficker”/”Downandup” worm
- Enable Hidden Setting
- Delete all scheduled tasks
- Stop and disable services. (lanmanserver, schedule)
- Run MSRT – Malicious Software Removal Tool
- Install Autorun hotfix if not installed
- Install KB950582 for vulnerability MS08-038
- Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
- Remove Hidden Setting
- Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
- Install patch KB958644 for MS08-067 and restart
You will need to download the following files and batch script and drop them into the NetLogon share.
- Getver.exe – contained in ConfickerClean-v10.3.zip here ==> and script to remove “Conficker”/”Downandup” locally here ==> .
- SC.EXE – contained in ConfickerClean-v10.3.zip
- REG.exe – contained in ConfickerClean-v10.3.zip
- windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
- windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
- sleep.exe – contained in ConfickerClean-v10.3.zip
- Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
- Place all 3 updates in the Netlogon directory.
- Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.
Now you will proceed to create and push a Group Policy to the domain.
- Edit the <domain.com> values in the script.
- Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
- Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
- Link the GPO with the Startup Script to the OU and Groups where you want it to apply.
Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.
Why disable the Server service?
This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.
Why disable the Task Scheduler service?
This is because the malware creates several AT jobs that run every hour to reinfect the system.
Why install MS08-067?
This is the main attack vector of the malware.
Why disable Autorun?
This is because the malware drops a binary file called Autorun.inf on all removable drives.
All credit to Microsoft Support Engineering